oski | d40dedd7f637a1ef9703b582a6d536469d1cf62bddc1a462a9cceeb7f9194f13

General

Target

5e45692f423e4f683e1c246679e6d572_JaffaCakes118.exe
Size

301KB
MD5

5e45692f423e4f683e1c246679e6d572
SHA1

bdc1cf9aa3625fc0d514628a55c767c8ed07e17b
SHA256

d40dedd7f637a1ef9703b582a6d536469d1cf62bddc1a462a9cceeb7f9194f13
SHA512

93de1b3cc9601adc6af8c2bdedec1633dfd82cc6a09d327836df2af628423db52174e1d9f6a241045a9ef593f0edd65e2b3a2797a64cbed73b2c54231ba0692c
SSDEEP

6144:8DKW1Lgbdl0TBBvjc/VddFYZF2IqG4qKBNDgEpxpAvtWbROF2:qh1Lk70TnvjcndMFJSPBNDvGvwbRe2

Score

10^/10

oski infostealer spyware stealer

Malware Config

Extracted

Family

oski

C2

no1geekfun.com/surce/a/

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Executes dropped EXE 1 IoCs

Processes:

chrmuim.exe

pid process

2104 chrmuim.exe

pid	process
2104	chrmuim.exe

Loads dropped DLL 5 IoCs

Processes:

5e45692f423e4f683e1c246679e6d572_JaffaCakes118.exeWerFault.exe

pid	process
2172	5e45692f423e4f683e1c246679e6d572_JaffaCakes118.exe
2172	5e45692f423e4f683e1c246679e6d572_JaffaCakes118.exe
2612	WerFault.exe
2612	WerFault.exe
2612	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2612 2104 WerFault.exe chrmuim.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5e45692f423e4f683e1c246679e6d572_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 2172 5e45692f423e4f683e1c246679e6d572_JaffaCakes118.exe

pid	pid_target	process	target process
2612	2104	WerFault.exe	chrmuim.exe

description	pid	process
Token: SeDebugPrivilege	2172	5e45692f423e4f683e1c246679e6d572_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

5e45692f423e4f683e1c246679e6d572_JaffaCakes118.exechrmuim.exe

description	pid	process	target process
PID 2172 wrote to memory of 2104	2172	5e45692f423e4f683e1c246679e6d572_JaffaCakes118.exe	chrmuim.exe
PID 2172 wrote to memory of 2104	2172	5e45692f423e4f683e1c246679e6d572_JaffaCakes118.exe	chrmuim.exe
PID 2172 wrote to memory of 2104	2172	5e45692f423e4f683e1c246679e6d572_JaffaCakes118.exe	chrmuim.exe
PID 2172 wrote to memory of 2104	2172	5e45692f423e4f683e1c246679e6d572_JaffaCakes118.exe	chrmuim.exe
PID 2104 wrote to memory of 2612	2104	chrmuim.exe	WerFault.exe
PID 2104 wrote to memory of 2612	2104	chrmuim.exe	WerFault.exe
PID 2104 wrote to memory of 2612	2104	chrmuim.exe	WerFault.exe
PID 2104 wrote to memory of 2612	2104	chrmuim.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\5e45692f423e4f683e1c246679e6d572_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5e45692f423e4f683e1c246679e6d572_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\chrmuim.exe
  "C:\Users\Admin\AppData\Local\Temp\chrmuim.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 796
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\msvcp140.dll

Filesize
9KB

MD5
19929e8cb6ec5435cc100aad83e093b4

SHA1
715d72030ce455a2cd572329af98bbcd23ae52d4

SHA256
2ecfda86ed6fad78f103aebe513ebc3258f07e37fd2fe9e2f16ebaf3324a38d8

SHA512
4fedd91be1a51584f6165290e00f51ec21c496e962c3d65e8620b2098cdd0cb0a7da96a0774bda7d444f6a7598da39d556fcf75cc9eb396ac261a8b3f65b2320

Download Submit
\Users\Admin\AppData\Local\Temp\chrmuim.exe

Filesize
200KB

MD5
35958a7d85fc88a18f931ee14e6ec531

SHA1
087fedd2ac4fe703da8ad32957998d1dffcb728b

SHA256
73fbf9c783b7e3a941837995f1a5181eca114e8923d6cc7ffb362ea88a8d0ba3

SHA512
de7cb672507d2c2c6de27301a36507939be19231ff97c1c062e2cfda354b4e89f42570f448f8f24e3d8714d6d651b484bc36a8f4dbd53c3e6b968ef002fdb489

Download Submit
memory/2172-34-0x0000000002180000-0x00000000021B3000-memory.dmp

Filesize
204KB

Download
memory/2172-6-0x0000000002180000-0x00000000021B3000-memory.dmp

Filesize
204KB

Download
memory/2172-4-0x0000000002180000-0x00000000021BA000-memory.dmp

Filesize
232KB

Download
memory/2172-8-0x0000000002180000-0x00000000021B3000-memory.dmp

Filesize
204KB

Download
memory/2172-0-0x000000007486E000-0x000000007486F000-memory.dmp

Filesize
4KB

Download
memory/2172-36-0x0000000002180000-0x00000000021B3000-memory.dmp

Filesize
204KB

Download
memory/2172-48-0x0000000002180000-0x00000000021B3000-memory.dmp

Filesize
204KB

Download
memory/2172-55-0x0000000074860000-0x0000000074F4E000-memory.dmp

Filesize
6.9MB

Download
memory/2172-54-0x0000000002180000-0x00000000021B3000-memory.dmp

Filesize
204KB

Download
memory/2172-56-0x0000000074860000-0x0000000074F4E000-memory.dmp

Filesize
6.9MB

Download
memory/2172-50-0x0000000002180000-0x00000000021B3000-memory.dmp

Filesize
204KB

Download
memory/2172-46-0x0000000002180000-0x00000000021B3000-memory.dmp

Filesize
204KB

Download
memory/2172-44-0x0000000002180000-0x00000000021B3000-memory.dmp

Filesize
204KB

Download
memory/2172-42-0x0000000002180000-0x00000000021B3000-memory.dmp

Filesize
204KB

Download
memory/2172-40-0x0000000002180000-0x00000000021B3000-memory.dmp

Filesize
204KB

Download
memory/2172-38-0x0000000002180000-0x00000000021B3000-memory.dmp

Filesize
204KB

Download
memory/2172-5-0x0000000002180000-0x00000000021B3000-memory.dmp

Filesize
204KB

Download
memory/2172-3-0x0000000074860000-0x0000000074F4E000-memory.dmp

Filesize
6.9MB

Download
memory/2172-52-0x0000000002180000-0x00000000021B3000-memory.dmp

Filesize
204KB

Download
memory/2172-32-0x0000000002180000-0x00000000021B3000-memory.dmp

Filesize
204KB

Download
memory/2172-30-0x0000000002180000-0x00000000021B3000-memory.dmp

Filesize
204KB

Download
memory/2172-29-0x0000000002180000-0x00000000021B3000-memory.dmp

Filesize
204KB

Download
memory/2172-26-0x0000000002180000-0x00000000021B3000-memory.dmp

Filesize
204KB

Download
memory/2172-24-0x0000000002180000-0x00000000021B3000-memory.dmp

Filesize
204KB

Download
memory/2172-22-0x0000000002180000-0x00000000021B3000-memory.dmp

Filesize
204KB

Download
memory/2172-20-0x0000000002180000-0x00000000021B3000-memory.dmp

Filesize
204KB

Download
memory/2172-18-0x0000000002180000-0x00000000021B3000-memory.dmp

Filesize
204KB

Download
memory/2172-16-0x0000000002180000-0x00000000021B3000-memory.dmp

Filesize
204KB

Download
memory/2172-14-0x0000000002180000-0x00000000021B3000-memory.dmp

Filesize
204KB

Download
memory/2172-12-0x0000000002180000-0x00000000021B3000-memory.dmp

Filesize
204KB

Download
memory/2172-10-0x0000000002180000-0x00000000021B3000-memory.dmp

Filesize
204KB

Download
memory/2172-2-0x0000000074860000-0x0000000074F4E000-memory.dmp

Filesize
6.9MB

Download
memory/2172-67-0x0000000074860000-0x0000000074F4E000-memory.dmp

Filesize
6.9MB

Download
memory/2172-1-0x0000000001E20000-0x0000000001E5A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing